Bug 2168631 (CVE-2022-4904)

Summary: CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: askrabec, atikhono, hhorak, jburrell, jorton, jstanek, nodejs-maint, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 20:45:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2170860, 2170861, 2170862, 2170863, 2170866, 2170867, 2170868, 2170869, 2170870, 2170871, 2170872, 2170873, 2175837, 2175838, 2175839, 2175840, 2176102, 2178099, 2178100, 2178101, 2178102, 2178103, 2178104, 2178105, 2178106, 2178150, 2178151, 2178152    
Bug Blocks: 2168630, 2175314    

Description Marian Rehak 2023-02-09 15:33:16 UTC 
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.
Comment 1 Marian Rehak 2023-02-17 13:15:29 UTC 
Created c-ares tracking bugs for this issue:

Affects: fedora-all [bug 2170860]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170861]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170862]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170863]
Comment 3 Marian Rehak 2023-02-17 13:51:16 UTC 
*** Bug 2165777 has been marked as a duplicate of this bug. ***
Comment 8 errata-xmlrpc 2023-03-30 12:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 9 errata-xmlrpc 2023-04-04 09:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 10 errata-xmlrpc 2023-04-12 14:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 11 errata-xmlrpc 2023-04-12 14:59:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 12 errata-xmlrpc 2023-04-12 15:07:38 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:1744 https://access.redhat.com/errata/RHSA-2023:1744
Comment 13 errata-xmlrpc 2023-05-09 11:46:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Comment 14 errata-xmlrpc 2023-05-09 11:46:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
Comment 15 Product Security DevOps Team 2023-05-09 20:45:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4904
Comment 17 errata-xmlrpc 2023-07-12 08:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4035 https://access.redhat.com/errata/RHSA-2023:4035
Comment 18 errata-xmlrpc 2023-10-09 10:26:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
Comment 22 errata-xmlrpc 2023-11-02 15:50:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6291 https://access.redhat.com/errata/RHSA-2023:6291
Comment 23 errata-xmlrpc 2023-11-07 08:22:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6635 https://access.redhat.com/errata/RHSA-2023:6635
Comment 24 errata-xmlrpc 2023-11-14 15:22:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7116 https://access.redhat.com/errata/RHSA-2023:7116
Comment 25 errata-xmlrpc 2023-11-21 11:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7368 https://access.redhat.com/errata/RHSA-2023:7368
Comment 26 errata-xmlrpc 2023-11-28 15:36:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7543 https://access.redhat.com/errata/RHSA-2023:7543